USING EMET TO DEFEND AGAINST TARGETED ATTACKS PRESENTED BY ROBERT HENSING – SENIOR CONSULTANT – MICROSOFT CORPORATION

WHOAMI Robert Hensing 15 year Microsoft veteran Developed original versions of W.O.L.F. and AutoDump+ (tools used by Customer Support for Incident Response and Debugging respectively) Trustworthy Computing Division alumni 5 year tour in MSRC Engineering – Defense team Co-Developed GUT (swiss army knife hex editor / fuzzer / vulnerability detection framework) Co-Developed a technique that uses the Windows shim engine to mitigate vulnerable code via ‘Shimpatches’ (as featured in recent IE Security Advisories) Currently a boring C# Developer Consultant in National Security Group practice I used to be somebody.

TRUSTWORTHY COMPUTING - SECURITY CENTERS Protecting Microsoft customers throughout the entire life cycle (in development, deployment and operations) Microsoft Security Engineering Center (MSEC) Security Assurance Security Science SDLSDL Microsoft Malware Protection Center (MMPC) Release Product Life Cycle Microsoft Security Response Center (MSRC) (MSRC) Ecosystem Strategy MSRC Ops MSRC Engineering Conception

Result: Attackers only have to find one vulnerability, and they get to use it for a really long time. THE SOFTWARE VULNERABILITY ASYMMETRY PROBLEM Defender must fix all vulnerabilities in all software – attacker wins by finding and exploiting just one vulnerability Threats change over time – state-of-the-art in vulnerability finding and attack techniques changes over time Patch deployment takes time – vendor must offset risks to stability & compatibility, customer waits for servicing cycle

EXPLOIT ECONOMICS 5 Gains per use X Opportunities to use Cost to acquire vulnerability + Cost to weaponize Attacker Return - =

Desired Result: Usable attacks will be rare and require significant engineering; working exploits will become scarce and valuable EXPLOIT ECONOMICS We can decrease Attacker Return if we are able to… Increase attacker investment required to find usable vulnerabilities Remove entire classes of vulnerabilities where possible Focus on automation to scale human efforts Increase attacker investment required to write reliable exploits Build mitigations that add brittleness Make exploits impossible to write completely reliably Decrease attacker’s opportunity to recover their investment Shrink window of vulnerability Fewer opportunities via artificial diversity Enable rapid detection & suppression of exploit usage

INCREASE ATTACKER INVESTMENT REQUIRED TO FIND VULNERABILITIES Exploit Economics Strategy – Step 1 7

EMBEDDING SECURITY INTO SOFTWARE AND CULTURE Tactics for Vulnerability Reduction Remove entire classes of vulnerabilities Security Tooling Additional product features Remove all currently findable vulnerabilities Complete automation of tooling SDL tools, Threat Modeling tool Fuzzing toolsets + ways to streamline & improve triage Tool overlays to increase signal-to-noise and focus attention on the right code Verification & enforcement Audit individual tool usage via process tools Process tools required for SDL signoff - policy enforcement Ongoing Process Improvements

PREVENT RELIABLE EXPLOITATION OF VULNERABILITIES Exploit Economics Strategy – Step 2

EMBEDDING SECURITY INTO SOFTWARE AND CULTURE Tactics to Frustrate Exploits Reduce the surface we have to defend Attack surface reduction Design additional product mitigations Make remaining vulnerabilities difficult or impossible to exploit Build mitigations that add exploit brittleness Ongoing Process Improvements

DIGITAL COUNTERMEASURES Improve system survivability against exploitation of unknown vulnerabilities Three goals: Increase attacker requirements – e.g. must be authenticated, local subnet only Deterrent – no economically reliable exploit exists Mitigation – Break 100% reliable universal exploits Often must be combined together Even when successful, the result is still impactful to the user 11

MITIGATION APPROACHES Utilize secrets such that guessing impairs exploit reliability /GS: Protect stack buffers by checking random cookies placed between them and control structures Function Pointer Encoding 12 Utilize Knowledge Deficits Artificial Diversity Enforce Invariants ASLR: Address Space Layout Randomization Data Execute Protection (DEP) Heap & pool metadata checks SafeSEH / SEH Overwrite Protection (SEHOP)

MEMORY SAFETY MITIGATIONS ROADMAP 13 Stack Heap / Pool Executable Code /GS 1.0 /GS 1.1 Heap 1.0 DEP ASLRDEP IE /GS /NXCOMPAT Heap 2.0HeapTerm EH4SEHOP/GS 3.0 DEP+ATL Safe Unlinking 2009 DEP O SEHOP IE SEHOP + HEASLR + ForceASLR IE10 Heap Rand / Hardening 2012

Mitigations in software have evolved significantly since the release of Windows XP Internet Explorer 10 on Windows 8 benefits from an extensive number of platform security improvements (not available to Internet Explorer 8 on Windows XP) SOFTWARE SECURITY HAS EVOLVED

ENHANCED MITIGATION EXPERIENCE TOOLKIT (EMET)ENHANCED MITIGATION EXPERIENCE TOOLKIT (EMET)

EVOLUTION OF EMET MITIGATIONS & FEATURESEVOLUTION OF EMET MITIGATIONS & FEATURES

EVOLUTION OF EMET MITIATIONS (CONTINUED)EVOLUTION OF EMET MITIATIONS (CONTINUED)

MS – INTERNET EXPLORER CVE (CBUTTON USE AFTER FREE) 0-day vulnerability being used in limited targeted attacks prior to bulletin release discovered by FireEye circa 12/27/2012 Vulnerability about as bad as it gets! Remote Code Exec vulnerability in all versions of IE (at the time) and exploitable via a web page Fixed by MS on 1/14/ Standard mitigations in the bulletin were Don’t open Office documents Set Internet zone to High (yeah right) Disable Active Scripting and ActiveX controls (yeah right)

DEMONSTRATION - EMET VS. MS CVE (CBUTTON UAF) A ‘watering hole’ attack from

DEMONSTRATION

RECENT EMET RELATED DEVELOPMENTS ATTACKERS VS. EMET IN THE NEWS February 11th SECURITY COMPANY VS. EMET IN THE NEWS February 24 th MICROSOFT VS. EMET IN THE NEWS February 25 th

THIS EXPLOIT ATTEMPT WILL SELF-DESTRUCT...

THIS AIN’T A SCENE IT’S ARMS RACE On February 24 th Bromium Labs claimed to be able to bypass all EMET 4.1 mitigations leading to a big press cycle during the RSA conference They discussed ways of bypassing the various ROP mitigations individually, and a way of bypassing the StackPivot mitigation. They created an exploit payload that made use of many of their discoveries but that eventually needed to call NtProtectVirtualMemory (an API that is only protected when ‘Deep Hooks’ is enabled) They noted Deep Hooks was not enabled by default so this was convenient for them. So EMET 5.0 will enable Deep Hooks by default! This required working with some vendors (McAfee HIPS) to wait for updated versions of their products to be released. Bottom Line – EMET is not invincible but it does raise the bar for adversaries and Microsoft is committed to investigating new bypasses and addressing them in future versions of EMET if possible.

OH NOZ!!! THE END IS NEAR! (0-DAY MAY) On April 8, 2014, Windows XP will no longer be supported by Microsoft. This means customers will no longer receive: New security updates Non-security hotfixes Free or paid assisted support options Online technical content updates New vulnerabilities discovered after support ends for Windows XP will not be addressed without an expensive custom support agreement If only there was something inexpensive that you could do to protect all those un-patched Windows XP boxes from exploit attempts.

CALL TO ACTION Follow the Security Research and Defense blog to stay on stop of the latest trends in security research and defense! Keep an eye on for updates and announcementswww.microsoft.com/emet Evaluate and Deploy EMET 4.1 (XP+) now or EMET 5.0 (Vista+) when it releases. Protect critical applications such as Internet Explorer, Firefox, Office, Adobe Acrobat etc Monitor for EMET related events in the event log using System Center or other Enterprise monitoring software to spot 733t 0-day attempts (that don’t detect EMET and self- destruct! ) Support: